Cyber security has made its ultimate mainstream breakthrough. This week, a relatively minor hack targeted at Apple not only made the BBC 10 O’clock News, but warranted a lengthy studio discussion between presenter Sophie Raworth and a BBC security correspondent.

As businesses come to understand the full implications, there is likely to be quite some uproar over plans to effectively police and regulate the data security of almost any firm that offers some form of electronic or online service, from social media to retailers to banks.

US internet firms are lobbying to water down the proposals, and European companies are pushing back on plans for mandatory data breach reporting. There will be other concerns yet, and it seems certain that before long we will be bracketing IT security providers alongside lawyers as the guaranteed beneficiaries.

But the problem ultimately remains one of the IT industry’s own making.

Security is still an afterthought too often. Few, if any, of the software and hardware systems that are used on a regular basis were designed with security in mind from the start. Security is still a feature to be added in, rather than a fundamental element of product strategy, architecture, design and development.

The need for regulation is in itself an indictment of the failure of technology providers. But much of the proposed rules will serve only to allow those suppliers to sell more products and make more money, instead of changing their behaviour.

The users of technology will bear the brunt and cost of compliance with the EU’s directives, not the providers of the technology upon whom they rely. This, surely, risks missing an opportunity to force change on a negligent IT industry.

Join the conversation

1 comment

Send me notifications when other members comment.

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

The issue with "security breach notification" is what it actually means. The most serious breaches are those which are only discovered when customers are being systemically defrauded and a backwards investigation finds the source. But what happens when you cannot find one and do not know whether the fraud is only against your customers or is also against those of your peers as well and the breach is some-where else? Thus I am told the common factor in a current set of "converged frauds" (i.e. they mix on-line with mail intercept to collect the supposedly secure authentication devices) is that the victims are company directors and the information used to start the impersonation process is a matter of public record via Companies Houses. The Commission proposals have worthy objectives but are like fighting the battle of the Somme with troop training using the 1896 infantry manual instead of the 1911 manual. The result was slaughter, while the one General who had retrained all his replacements using the 1911 manual got all his day one objectives with hardly a man lost.